Overview

overview

10

Static

static

10

Γενικ...19.exe

windows7-x64

10

Γενικ...19.exe

windows10-2004-x64

10

Covid 19 I...ps.exe

windows7-x64

7

Covid 19 I...ps.exe

windows10-2004-x64

10

Original.document.exe

windows7-x64

10

Original.document.exe

windows10-2004-x64

10

COVID-19 W... V.exe

windows7-x64

10

COVID-19 W... V.exe

windows10-2004-x64

10

Malware-Fe...ae.jar

windows7-x64

1

Malware-Fe...ae.jar

windows10-2004-x64

1

Malware-Fe...7f.exe

windows7-x64

10

Malware-Fe...7f.exe

windows10-2004-x64

10

Malware-Fe...a5.exe

windows7-x64

10

Malware-Fe...a5.exe

windows10-2004-x64

10

Malware-Fe...02.exe

windows7-x64

10

Malware-Fe...02.exe

windows10-2004-x64

10

Malware-Fe...3a.exe

windows7-x64

7

Malware-Fe...3a.exe

windows10-2004-x64

10

Malware-Fe...ee.exe

windows7-x64

3

Malware-Fe...ee.exe

windows10-2004-x64

3

AWARENESS ...df.exe

windows7-x64

10

AWARENESS ...df.exe

windows10-2004-x64

10

Malware-Fe...987494

ubuntu-24.04-amd64

Malware-Fe...237d18

ubuntu-22.04-amd64

3

Malware-Fe...00.dll

windows7-x64

8

Malware-Fe...00.dll

windows10-2004-x64

8

Malware-Fe...35.dll

windows7-x64

8

Malware-Fe...35.dll

windows10-2004-x64

8

Malware-Fe...29.dll

windows7-x64

8

Malware-Fe...29.dll

windows10-2004-x64

8

Malware-Fe...2b86da

ubuntu-18.04-amd64

3

Malware-Fe...2b86da

debian-9-armhf

4

Sharing

Copy URL
Twitter E-mail

General

  • Target

    master.zip

  • Size

    682.3MB

  • Sample

    250217-wkxzzs1lfy

  • MD5

    ba06cb72b125a0a353b87008d95e86ca

  • SHA1

    9b4d7e2f1087ccbe73012c8237b0609f10576806

  • SHA256

    ba18ff142bae31457031ca49e772b10792ad3a5bdead90cb2c1d37e2a6c2fd59

  • SHA512

    3270783c7b42014ecfa3be771d675cffe75a0ba65cf7d4e0f5e1d61e65a4cee2c6f2e471c0e95ef23799c6a7b2eb7edbca8393d59353f4d6531099dd4def909e

  • SSDEEP

    12582912:Bo4WyWq2xPQ3JjlAd9hpopjS5j/5i7Pdst6n8+fLOzV0fPWc+afxK6kKuq:BoJqJ5Bs9hpop25bvTGLeVJc3xgdq

Score
10/10
agentteslaanchordnsaridvipercobaltstrikecomratjupyterlokibotnetwalkernjratrevengeratsandroratslothfulmediaspynotesunburstsupernovateardropzebrocy0guesthackedantivmaspackv2backdoorcollectioncredential_accesscryptonediscoverydropperkeyloggerlinklinuxmacromacro_on_actionpackerpdfpersistencepyinstallerspywarestealertrojanupxvmprotect

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://webmail.lax.co.il/owa/auth/Current/Script/jquery-3.5.1.min.js

Extracted

Family

revengerat

Botnet

Guest

C2

voly.ddns.net:88

Mutex

RV_MUTEX-BUPRawrSNddXxdY

Extracted

Family

spynote

C2

voly.ddns.net:1988

Extracted

Family

sandrorat

C2

voly.ddns.net:1962

Extracted

Family

njrat

Version

Hallaj PRO Rat [Fixed]

Botnet

HacKed

C2

voly.ddns.net:81

Mutex

23e6d18d0fa7e25eb8844687c5ca5f5c

Attributes
  • reg_key

    23e6d18d0fa7e25eb8844687c5ca5f5c

  • splitter

    boolLove

Extracted

Family

cobaltstrike

Botnet

0

C2

http://summerevent.webhop.net:443/safebrowsing/rd/tnOztRgLx1ugKt8uumGcreRFm5CqXD9ge-zzz5sA6WzhC

Attributes
  • access_type

    512

  • beacon_type

    2048

  • crypto_scheme

    256

  • host

    summerevent.webhop.net,/safebrowsing/rd/tnOztRgLx1ugKt8uumGcreRFm5CqXD9ge-zzz5sA6WzhC

  • http_header1

    AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAfQWNjZXB0LUxhbmd1YWdlOiBlbi1VUyxlbjtxPTAuNQAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAAIAAAAAgAAAAhQUkVGPUlEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAfQWNjZXB0LUxhbmd1YWdlOiBlbi1VUyxlbjtxPTAuNQAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAAIAAAAAgAAABJVPXNSdjg1VUhpakJycldpSHoAAAACAAAACFBSRUY9SUQ9AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    3840

  • maxdns

    247

  • polling_time

    6600

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDmFvK6fWzx+zTnQqAkZAQv6Eqwme1a80cwMNtrYEJShrKKbgpTy71w5Zd9u7EdBClno3HF9U4/9/tkBRw6PPPRa+W6bgpf97I3/Y0z36I5E/h+UP8h076IkzaWyPHbS1QMOiE6AXC3rCERjgirkn1LKUs+Q+zj0LeN8/QHEq/ZqQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /safebrowsing/rd/r8l4jO3947jVxa5wBhEijGc0y77iX4oFy

  • user_agent

    Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0

  • watermark

    0

Extracted

Family

jupyter

Version

DR/1.4

C2

http://45.146.165.219

Extracted

Family

jupyter

Version

DR/1.0

C2

http://45.135.232.131

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtps.aruba.it
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    info1943

Extracted

Family

lokibot

C2

https://academydea.com/alhaji/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.ru
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    cr*fDaW&m@2y6u

Targets

    • Target

      Γενική ειδοποίηση χρονοδιαγράμματος εργασίας στο COVID-19.exe

    • Size

      762KB

    • MD5

      62f9618752fffbd4ff7d52fdc39ec5fb

    • SHA1

      0aca420c79a13982f5ec8499a35684276bca4433

    • SHA256

      f681c1f8c12956a20c27beb9be1112374fefc7651884d7dd92010b40db1e7bee

    • SHA512

      f87598495b6bba85d77c2cfba2904060bd7031ff3e1a40cd44725e6485bd8c20f935fee360a9a5e7962601344bde64ef407d895346ed3f9c6e2148f0d02d06c9

    • SSDEEP

      12288:+Qm+VW77777I777oE9K/zepqfxPCddcTvxlK2X+jmnhCMtOnMiJ6pD:HfVW77777I77774zepqfwdmrlujyhZ4k

    Score
    10/10
    agentteslacollectiondiscoverykeyloggerspywarestealertrojanupx

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • AgentTesla payload

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

    • Target

      Covid 19 Immunity Tips.exe

    • Size

      388KB

    • MD5

      76fffeef410bd6b633c09c0f6529891d

    • SHA1

      774a51b0b07a7c606672a669fca5939b25b53e66

    • SHA256

      e4e5c3a6c15beff4e17117075e2c0bd65f176d81e6885134d2b4d97c20d4773a

    • SHA512

      1fca78852d9ba98ae4ee2ade1694038e6da6fa2d1e29a82e859f6963d6d86b4247da70c7f9780e0ea36f7f7dff178de9c55a450e528c30a073ebbff94423a3d4

    • SSDEEP

      12288:HTYFk+FX3k1xJo2X/S2v4WAqhafvUT1Pk9J7y:Hck+RMxJX/S2vOgaf6c

    Score
    10/10
    collectioncredential_accessdiscoveryspywarestealer

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection
    behavioral3behavioral4

    • Target

      Original.document.exe

    • Size

      1.4MB

    • MD5

      e7351df51633435293ddc09de7fdc57c

    • SHA1

      08e1c2328773a1040194446d0814fc07673526bf

    • SHA256

      7b98cd3800dede6537cf78e7b61eeeda71d251dc97c70cb7c2135c6aa310ab7f

    • SHA512

      705420ca8ea83df7dc0e2155a00aef5b0d4c32ac4db3e7332d84e7e16bc52ffc4bc5f80ed76790c163aa2a317edd9d86eb16d062352f3c466ca50db10556eabd

    • SSDEEP

      24576:Htb20pkaCqT5TBWgNQ7aqia9uDTlos7hTt2WB2W+DZJBSI6A:EVg5tQ7aq7MTqcGWgPn5

    Score
    10/10
    agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • AgentTesla payload

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      COVID-19 WHO RECOMENDED V.exe

    • Size

      378KB

    • MD5

      1179a7989031fc4b6331505b388dcb12

    • SHA1

      eb644752ffb7d9b12511a0d10448150c91eb30bd

    • SHA256

      d150feb631d6e9050b7fb76db57504e6dcc2715fe03e45db095f50d56a9495a5

    • SHA512

      c21193698a03259eb486ebfb281e4c8fb7224814fd81d9d676c3ff8f7c9ebb8f277ef03cf5025b648e88849cca8731d16b7735288e49b0bf04da9336b4279b31

    • SSDEEP

      6144:0QT73Grj0u1H+DTqKXKqYpwGspOzo5R7dhV0iyIwu5CfQxt/vVauu1fmLA3Kjx4b:rTDu0a+DnHpOAHVtyIV5cQXHUuuU+6Bw

    Score
    10/10
    agentteslacollectiondiscoverykeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • AgentTesla payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      Malware-Feed-master/2020.06.22_FBI-FLASH-MI-000124-MW/5b0ba8d58a64630cb5fcb80e72520bd2ef6f322003fa2588d4d594620e6685ae

    • Size

      392KB

    • MD5

      e8973e617a743a5597b63ce268986761

    • SHA1

      a45f057cbf44a70d010ea02e5417e06314b60a0a

    • SHA256

      5b0ba8d58a64630cb5fcb80e72520bd2ef6f322003fa2588d4d594620e6685ae

    • SHA512

      8d28bfc622ceef532027bf38713c838960e9bb16d1a70b94747340ef44de74055c934f006626d6ee7c40146a84a5ac0616b38f820723e671897294f7647cd3e0

    • SSDEEP

      6144:T6ZBcAMRxFPhXOyCHDC2sl10rhXqJ5xb21lDs4+J1sySCTTy5mw3ZZbZ2P:CcAuT5+bHDC2cmhXqJ5xgmGvCTit/oP

    Score
    1/10
    behavioral10behavioral9

    • Target

      Malware-Feed-master/2020.06.22_FBI-FLASH-MI-000124-MW/7b98cd3800dede6537cf78e7b61eeeda71d251dc97c70cb7c2135c6aa310ab7f

    • Size

      1.4MB

    • MD5

      e7351df51633435293ddc09de7fdc57c

    • SHA1

      08e1c2328773a1040194446d0814fc07673526bf

    • SHA256

      7b98cd3800dede6537cf78e7b61eeeda71d251dc97c70cb7c2135c6aa310ab7f

    • SHA512

      705420ca8ea83df7dc0e2155a00aef5b0d4c32ac4db3e7332d84e7e16bc52ffc4bc5f80ed76790c163aa2a317edd9d86eb16d062352f3c466ca50db10556eabd

    • SSDEEP

      24576:Htb20pkaCqT5TBWgNQ7aqia9uDTlos7hTt2WB2W+DZJBSI6A:EVg5tQ7aq7MTqcGWgPn5

    Score
    10/10
    agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • AgentTesla payload

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

    • Target

      Malware-Feed-master/2020.06.22_FBI-FLASH-MI-000124-MW/d150feb631d6e9050b7fb76db57504e6dcc2715fe03e45db095f50d56a9495a5

    • Size

      378KB

    • MD5

      1179a7989031fc4b6331505b388dcb12

    • SHA1

      eb644752ffb7d9b12511a0d10448150c91eb30bd

    • SHA256

      d150feb631d6e9050b7fb76db57504e6dcc2715fe03e45db095f50d56a9495a5

    • SHA512

      c21193698a03259eb486ebfb281e4c8fb7224814fd81d9d676c3ff8f7c9ebb8f277ef03cf5025b648e88849cca8731d16b7735288e49b0bf04da9336b4279b31

    • SSDEEP

      6144:0QT73Grj0u1H+DTqKXKqYpwGspOzo5R7dhV0iyIwu5CfQxt/vVauu1fmLA3Kjx4b:rTDu0a+DnHpOAHVtyIV5cQXHUuuU+6Bw

    Score
    10/10
    agentteslacollectiondiscoverykeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • AgentTesla payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral13behavioral14

    • Target

      Malware-Feed-master/2020.06.22_FBI-FLASH-MI-000124-MW/da26ba1e13ce4702bd5154789ce1a699ba206c12021d9823380febd795f5b002

    • Size

      1.1MB

    • MD5

      9498ba71b33e9e9e19c352579e0d1b0a

    • SHA1

      39419cf0c4a2aec86db7e87aaecf2972ed7cddb6

    • SHA256

      da26ba1e13ce4702bd5154789ce1a699ba206c12021d9823380febd795f5b002

    • SHA512

      780d617fc6fd03bd54bfe8fdad3dea57e558a7b06d03304d77fc2cf7c7dac584bea844c15e3afd6416bb3bd1266c7287864571eb3cacf2aa014b0a5a381561e0

    • SSDEEP

      24576:8tb20pkaCqT5TBWgNQ7a369EIqcxl/KXm6A:lVg5tQ7a36F/B5

    Score
    10/10
    lokibotcollectiondiscoveryspywarestealertrojan
    behavioral15behavioral16

    • Target

      Malware-Feed-master/2020.06.22_FBI-FLASH-MI-000124-MW/e4e5c3a6c15beff4e17117075e2c0bd65f176d81e6885134d2b4d97c20d4773a

    • Size

      388KB

    • MD5

      76fffeef410bd6b633c09c0f6529891d

    • SHA1

      774a51b0b07a7c606672a669fca5939b25b53e66

    • SHA256

      e4e5c3a6c15beff4e17117075e2c0bd65f176d81e6885134d2b4d97c20d4773a

    • SHA512

      1fca78852d9ba98ae4ee2ade1694038e6da6fa2d1e29a82e859f6963d6d86b4247da70c7f9780e0ea36f7f7dff178de9c55a450e528c30a073ebbff94423a3d4

    • SSDEEP

      12288:HTYFk+FX3k1xJo2X/S2v4WAqhafvUT1Pk9J7y:Hck+RMxJX/S2vOgaf6c

    Score
    10/10
    collectioncredential_accessdiscoveryspywarestealer

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection
    behavioral17behavioral18

    • Target

      Malware-Feed-master/2020.06.22_FBI-FLASH-MI-000124-MW/f681c1f8c12956a20c27beb9be1112374fefc7651884d7dd92010b40db1e7bee

    • Size

      762KB

    • MD5

      62f9618752fffbd4ff7d52fdc39ec5fb

    • SHA1

      0aca420c79a13982f5ec8499a35684276bca4433

    • SHA256

      f681c1f8c12956a20c27beb9be1112374fefc7651884d7dd92010b40db1e7bee

    • SHA512

      f87598495b6bba85d77c2cfba2904060bd7031ff3e1a40cd44725e6485bd8c20f935fee360a9a5e7962601344bde64ef407d895346ed3f9c6e2148f0d02d06c9

    • SSDEEP

      12288:+Qm+VW77777I777oE9K/zepqfxPCddcTvxlK2X+jmnhCMtOnMiJ6pD:HfVW77777I77774zepqfwdmrlujyhZ4k

    Score
    3/10
    discovery
    behavioral19behavioral20

    • Target

      AWARENESS NOTICE ON CORONAVIRUS COVID-19 DOCUMENT_pdf.exe

    • Size

      1.1MB

    • MD5

      9498ba71b33e9e9e19c352579e0d1b0a

    • SHA1

      39419cf0c4a2aec86db7e87aaecf2972ed7cddb6

    • SHA256

      da26ba1e13ce4702bd5154789ce1a699ba206c12021d9823380febd795f5b002

    • SHA512

      780d617fc6fd03bd54bfe8fdad3dea57e558a7b06d03304d77fc2cf7c7dac584bea844c15e3afd6416bb3bd1266c7287864571eb3cacf2aa014b0a5a381561e0

    • SSDEEP

      24576:8tb20pkaCqT5TBWgNQ7a369EIqcxl/KXm6A:lVg5tQ7a36F/B5

    Score
    10/10
    lokibotcollectiondiscoveryspywarestealertrojan
    behavioral21behavioral22

    • Target

      Malware-Feed-master/2020.07.16_CISA-WELLMAIL/0c5ad1e8fe43583e279201cdb1046aea742bae59685e6da24e963a41df987494

    • Size

      6.1MB

    • MD5

      01d322dcac438d2bb6bce2bae8d613cb

    • SHA1

      8830e9d90c508adf9053e9803c64375bc9b5161a

    • SHA256

      0c5ad1e8fe43583e279201cdb1046aea742bae59685e6da24e963a41df987494

    • SHA512

      3705b5ceb4ea06370da2a0d73b60e776c9528545704442d0872b75d8593966905eb2ad6a4edddec42bed2115bcd22a37154079c73c26d0a9491a9d349c7e4735

    • SSDEEP

      49152:RXKUBXE/J9KhwyXGHjKRwpEcWDm4grE/jwgQbl+8cUiFNj8hqTQqc5Y4lZT3iDS7:ZK34fLjLU0xQq2YRQD

    Score
    1/10
    behavioral23

    • Target

      Malware-Feed-master/2020.07.16_CISA-WELLMAIL/83014ab5b3f63b0253cdab6d715f5988ac9014570fa4ab2b267c7cf9ba237d18

    • Size

      2.1MB

    • MD5

      8777a9796565effa01b03cf1cea9d24d

    • SHA1

      53098b025a3f469ebc3e522f7b0999011cafb943

    • SHA256

      83014ab5b3f63b0253cdab6d715f5988ac9014570fa4ab2b267c7cf9ba237d18

    • SHA512

      e9c2bdcd2b298456726f0fc15ecf3cbfd667a7f0196bd42ecde1058dbfe33aeccb1626a462797cdaf1f32e2515ce08f0fa2d46e34833e0ac098081d9cb89ac41

    • SSDEEP

      49152:xtt6IZ6yPcb6MSsGN4aftKLK8Fa0Bpmy8TxQbjtHpbJ4E:xttn7Pc/Sjb5GpmyWxQVJbJ4E

    Score
    3/10
    discovery
    behavioral24

    • Target

      Malware-Feed-master/2020.07.23_FBI-FLASH-AC-000129-TT/1d973d05dee26f74ae352325da741928af4327f7a6be27cdec085a31fbea8100

    • Size

      104KB

    • MD5

      7a7ef986808ebb7781f5d64da9d7900c

    • SHA1

      8e4eeac70526a412b0a8bb253d081b273e2b56dd

    • SHA256

      1d973d05dee26f74ae352325da741928af4327f7a6be27cdec085a31fbea8100

    • SHA512

      9ed64de5bda92df080fe60672c7f25d99603f2cbb28ac9255af5f207d943c0fabf962c3fb4a965a7b0f50c48c7db6253ae8223b2abf49b5d8941dfe152425c63

    • SSDEEP

      1536:0PU6uBpkNfzMnIGXF0Ox1GqCYCgq/M//OcIihssWjcdG+lE/HVpC3:0TwozGXF0sEXQ8ihzG+S/1p

    Score
    8/10
    discoverypersistence

    • Server Software Component: Terminal Services DLL

      persistence
    behavioral25behavioral26

    • Target

      Malware-Feed-master/2020.07.23_FBI-FLASH-AC-000129-TT/37aa87d3408dc3e211d63a3bb38c726787c47c06a19e77f6a14861a91c2dcb35

    • Size

      332KB

    • MD5

      26e71f1d387298162c1b19e858d001a1

    • SHA1

      ecc74b845278696e41220ea1972e31119a5d0869

    • SHA256

      37aa87d3408dc3e211d63a3bb38c726787c47c06a19e77f6a14861a91c2dcb35

    • SHA512

      6e919b81b51c3d4f755465219213a6194fbebddff84d3a23377bfac2de7fc2468cceffea95d75ec979d9a706bb8d85aa03579f212879a91d581fe75fdb574421

    • SSDEEP

      6144:NSGCZ4BejCRVfTwEGVyA8mydNLPwPQmTDIH6ECDR5Rnk/Z:NSGCZ0e+7wEmyAhyQ5b6h

    Score
    8/10
    discoverypersistence

    • Server Software Component: Terminal Services DLL

      persistence

    • Sets service image path in registry

      persistence

    • Drops file in System32 directory

    behavioral27behavioral28

    • Target

      Malware-Feed-master/2020.07.23_FBI-FLASH-AC-000129-TT/a1aa0684813cfe9d7ed5c491c8ab132e5583b4fd02187fdae8aa4d934d933f29

    • Size

      123KB

    • MD5

      490d17a5b016f3abc14cc57f955b49b3

    • SHA1

      a1bb73f6581ab51457eb7160be8ee4fb18916153

    • SHA256

      a1aa0684813cfe9d7ed5c491c8ab132e5583b4fd02187fdae8aa4d934d933f29

    • SHA512

      a130433a5b2516ced7a14419edbe006c07e9d58a3a416dd9003fb1cb2a0e7c48a93cb7f1fc38f19536413c355ac1d05a78369dcbc6bbe3cfce2e1df3d81480a5

    • SSDEEP

      3072:pPwPQ+JTu0xIHjWjEJly2sfpfi+l7+sm+2MRThk:pPwPQmTDIH6ECDR5Rnk

    Score
    8/10
    persistence

    • Server Software Component: Terminal Services DLL

      persistence
    behavioral29behavioral30

    • Target

      Malware-Feed-master/2020.07.27_CISA-Legacy_Malware_Targeting_QNAP_NAS/09ab3031796bea1b8b79fcfd2b86dac8f38b1f95f0fce6bd2590361f6dcd6764

    • Size

      18KB

    • MD5

      8cee2a187198648c199c1d135c918a3a

    • SHA1

      a9f39f3b832344a79d32d92ac56c50cdaff0b93c

    • SHA256

      09ab3031796bea1b8b79fcfd2b86dac8f38b1f95f0fce6bd2590361f6dcd6764

    • SHA512

      bb4a8c108c08b4da2ee36f8876c53c2ad28f793cc5ed9999eb81fcead95123adc13d6c718dc3c10e0be75c2b0760251d756a95c61341ff99a84be576d5d00374

    • SSDEEP

      384:S0DO7oJgfOzs0KoWI3xMrKPDWsqLb0Tx75nrzoAU1j:L6TOzs0KfoxBBVcJ

    Score
    4/10
    discoveryantivm
    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Server Software Component

1
T1505

Terminal Services DLL

1
T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

2
T1112

Virtualization/Sandbox Evasion

1
T1497

System Checks

1
T1497.001

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

5
T1552

Credentials In Files

4
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Virtualization/Sandbox Evasion

1
T1497

System Checks

1
T1497.001

Lateral Movement

Collection

Data from Local System

4
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Tasks

static1

upxcryptonepackerpyinstallermacromacro_on_actionaspackv2stealerguesthackedbackdoorvmprotect0pdflinkdroppernetwalkeraridviperslothfulmediarevengeratspynotesandroratnjratcomratzebrocyanchordnscobaltstrikesunburstsupernovajupyterteardrop
Score
10/10

behavioral1

agentteslacollectiondiscoverykeyloggerspywarestealertrojanupx
Score
10/10

behavioral2

agentteslacollectiondiscoverykeyloggerspywarestealertrojanupx
Score
10/10

behavioral3

collectioncredential_accessdiscoveryspywarestealer
Score
7/10

behavioral4

collectioncredential_accessdiscoveryspywarestealer
Score
10/10

behavioral5

agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan
Score
10/10

behavioral6

agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan
Score
10/10

behavioral7

agentteslacollectiondiscoverykeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral8

agentteslacollectiondiscoverykeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral9

Score
1/10

behavioral10

Score
1/10

behavioral11

agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan
Score
10/10

behavioral12

agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan
Score
10/10

behavioral13

agentteslacollectiondiscoverykeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral14

agentteslacollectiondiscoverykeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral15

lokibotcollectiondiscoveryspywarestealertrojan
Score
10/10

behavioral16

lokibotcollectiondiscoveryspywarestealertrojan
Score
10/10

behavioral17

collectioncredential_accessdiscoveryspywarestealer
Score
7/10

behavioral18

collectioncredential_accessdiscoveryspywarestealer
Score
10/10

behavioral19

discovery
Score
3/10

behavioral20

discovery
Score
3/10

behavioral21

lokibotcollectiondiscoveryspywarestealertrojan
Score
10/10

behavioral22

lokibotcollectiondiscoveryspywarestealertrojan
Score
10/10

behavioral23

Score
1/10

behavioral24

discovery
Score
3/10

behavioral25

discoverypersistence
Score
8/10

behavioral26

discoverypersistence
Score
8/10

behavioral27

discoverypersistence
Score
8/10

behavioral28

discoverypersistence
Score
8/10

behavioral29

persistence
Score
8/10

behavioral30

persistence
Score
8/10

behavioral31

discovery
Score
3/10

behavioral32

antivmdiscovery
Score
4/10